Refactor DashboardCollectionList: Simplify search input layout and improve tag selection logic for better user experience.

README.md

@@ -64,9 +64,25 @@ The Admin UI runs at `http://localhost:2001` (different port to avoid conflict w
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `NEXT_PUBLIC_RUSTYCMS_API_URL` | `http://127.0.0.1:3000` | RustyCMS API base URL |
-| `NEXT_PUBLIC_RUSTYCMS_API_KEY` | – | API key for write operations (same as `RUSTYCMS_API_KEY`) |
+| `NEXT_PUBLIC_RUSTYCMS_API_KEY` | – | API key for write operations (same as `RUSTYCMS_API_KEY`). Optional if you use the Admin UI login. |
 
-If the API requires auth, set `NEXT_PUBLIC_RUSTYCMS_API_KEY` so the Admin UI can create, update and delete entries.
+**API key setup (backend + Admin UI):**
+
+1. **Backend** – In the project root (next to `Cargo.toml`), create or edit `.env`:
+   ```bash
+   RUSTYCMS_API_KEY=dein-geheimer-schluessel
+   ```
+   Use any secret string (e.g. `openssl rand -hex 32`). Start the API with `cargo run`; the log should show that API key auth is enabled.
+
+2. **Admin UI** – Either:
+   - **Option A:** In `admin-ui/.env.local` set the same key so the UI can write without logging in:
+     ```bash
+     NEXT_PUBLIC_RUSTYCMS_API_URL=http://127.0.0.1:3000
+     NEXT_PUBLIC_RUSTYCMS_API_KEY=dein-geheimer-schluessel
+     ```
+   - **Option B:** Leave `NEXT_PUBLIC_RUSTYCMS_API_KEY` unset. Open the Admin UI, click **Login** in the sidebar, enter the same API key, and submit. The key is stored in the browser (sessionStorage) until you log out or close the tab.
+
+3. **Check:** Without a key, `GET /api/collections` returns 200; `POST`/`PUT`/`DELETE` return 401. With header `X-API-Key: dein-geheimer-schluessel` (or `Authorization: Bearer …`), write requests succeed.
 
 ### CLI options
 
@@ -89,7 +105,10 @@ A `.env` in the project directory is loaded at startup. See `.env.example`.
 |--------------------------|---------------|--------------|
 | `RUSTYCMS_STORE`         | `file`        | Store backend: `file` or `sqlite` |
 | `RUSTYCMS_DATABASE_URL`  | `sqlite:content.db` | When using `sqlite`: SQLite URL (fallback: `DATABASE_URL`) |
-| `RUSTYCMS_API_KEY`       | –             | Optional. When set: POST/PUT/DELETE require this key (Bearer or X-API-Key). GET stays public. |
+| `RUSTYCMS_API_KEY`       | –             | Optional. Single key = full write access (Bearer or X-API-Key). GET stays public. |
+| `RUSTYCMS_API_KEYS`      | –             | Optional. Multiple keys with roles: `key1:read_write,key2:read`. Roles: `read`, `read_write`, `admin`. Overrides `RUSTYCMS_API_KEY`. |
+| `RUSTYCMS_ENVIRONMENTS`  | –             | Optional. Comma-separated (e.g. `production,staging`). File store only. Content per env; API uses `?_environment=staging`. |
+| `RUSTYCMS_WEBHOOKS`      | –             | Optional. Comma-separated URLs. POST with JSON `{ event, collection?, slug?, ... }` on content/asset/schema create/update/delete. |
 | `RUSTYCMS_CORS_ORIGIN`   | all           | Optional. One allowed CORS origin (e.g. `https://my-frontend.com`). Empty or `*` = all allowed. |
 | `RUSTYCMS_CACHE_TTL_SECS` | `60`          | Optional. Response cache for GET /api/content in seconds. `0` = cache off. |